Disney to Pay $10M Over Kids’ Data Privacy Violations

CyberDefender 4 mins0

The Walt Disney Company agreed to pay a $10 million civil penalty to settle allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by improperly handling children’s data across certain digital properties and video content.

How the alleged violations occurred

According to regulators:

  • Disney allegedly designated some child-directed video content as “general audience”
  • That designation allowed advertising technology and tracking tools to operate on those videos
  • As a result, persistent identifiers (such as cookies and device IDs) could be collected from children under 13
  • Those identifiers were then used for behavioral or targeted advertising, which COPPA largely prohibits without verifiable parental consent

Under COPPA, even collecting data for advertising measurement or audience profiling can be illegal if the content is child-directed and parental permission has not been obtained.

Why mislabeling content matters under COPPA

COPPA enforcement focuses heavily on how content is categorized, not just what data is collected:

  • If content is labeled as child-directed, platforms must:
    • Limit data collection to what is strictly necessary
    • Disable behavioral advertising
    • Provide clear parental notices and consent mechanisms
  • If content is labeled general audience, standard ad-tech systems often activate automatically

Regulators alleged Disney’s labeling decisions effectively removed COPPA safeguards, even if unintentionally.

Role of third-party advertisers

A key point in the case is that:

  • Disney allegedly allowed third-party ad networks and analytics providers to collect data
  • Regulators emphasized that companies remain legally responsible for data collection by vendors on their platforms
  • COPPA does not allow companies to shift liability to advertising partners

This reinforces that using third-party ad tools does not reduce compliance obligations.

Enforcement authority and outcome

The settlement was reached with U.S. regulators, including the Federal Trade Commission, which enforces COPPA.

As part of the resolution:

  • Disney agreed to pay the penalty without admitting wrongdoing
  • The company is expected to strengthen internal compliance programs
  • Improvements may include:
    • More rigorous content-labeling reviews
    • Better oversight of ad-tech partners
    • Training for teams responsible for kids’ content and monetization

Why this case is important

This settlement sends several broader signals:

  • Large media companies are not exempt from children’s privacy rules
  • Regulators are scrutinizing streaming, video, and digital media, not just apps and social platforms
  • Children’s privacy enforcement is shifting from one-off violations to system-wide compliance failures

Industry-wide implications

  • Streaming platforms may reduce or eliminate targeted ads on kids’ content
  • Advertisers are increasingly pushed toward contextual advertising, which does not rely on personal data
  • Companies face growing pressure to adopt privacy-by-design approaches for children’s media

CyberDefender